Medusa
Store APIAdmin API
Store APIAdmin API
Discord
Twitter
Linkedin
Github
  1. Getting Started
  • Getting Started
    • Introduction
    • Authentication
    • HTTP Compression
    • Publishable API Key
    • Expanding Fields
    • Selecting Fields
    • Query Parameter Types
    • Pagination
  • Auth
    • Customer Login (JWT)
      POST
    • Customer Login (JWT)
      POST
    • Check if Email Exists
      GET
    • Get Current Customer
      GET
    • Customer Log out
      DELETE
    • Customer Login
      POST
  • Carts
    • Create Payment Sessions
      POST
    • Refresh a Payment Session
      POST
    • Create a Cart
      POST
    • Complete a Cart
      POST
    • Select a Payment Session
      POST
    • Delete a Payment Session
      DELETE
    • Update a Payment Session
      POST
    • Get a Cart
      GET
    • Update a Cart
      POST
    • Add Shipping Method
      POST
    • Update a Line Item
      POST
    • Delete a Line Item
      DELETE
    • Add a Line Item
      POST
    • Calculate Cart Taxes
      POST
    • Remove Discount
      DELETE
  • Customers
    • Request Password Reset
    • Get Saved Payment Methods
    • Add a Shipping Address
    • Update Customer
    • Get a Customer
    • Update a Shipping Address
    • Delete an Address
    • Create a Customer
    • Reset Password
    • List Orders
  • Gift Cards
    • Get Gift Card by Code
  • Orders
    • Claim Order
    • Verify Order Claim
    • Get an Order
    • Look Up an Order
    • Get by Cart ID
  • Order Edits
    • Complete an Order Edit
    • Retrieve an Order Edit
    • Decline an Order Edit
  • Payment Collections
    • Authorize Payment Session
    • Authorize Payment Sessions
    • Refresh a Payment Session
    • Get a PaymentCollection
    • Manage Payment Sessions
    • Create a Payment Session
  • Products
    • Search Products
    • List Products
    • Get a Product
  • Product Variants
    • Get a Product Variant
    • Get Product Variants
  • Product Tags
    • List Product Tags
  • Product Categories
    • List Product Categories
    • Get a Product Category
  • Product Collections
    • Get a Collection
    • List Collections
  • Product Types
    • List Product Types
  • Regions
    • List Regions
    • Get a Region
  • Returns
    • Create Return
  • Return Reasons
    • List Return Reasons
    • Get a Return Reason
  • Shipping Options
    • List for Cart
    • Get Shipping Options
  • Swaps
    • Get by Cart ID
    • Create a Swap
  1. Getting Started

Authentication

There are two ways to send authenticated requests to the Medusa server: Using a JWT token or using a Cookie Session ID.

JWT Token#

Use a JWT token to send authenticated requests. Authentication state is managed by the client, which is ideal for Jamstack applications and mobile applications.

How to Obtain the JWT Token#

JWT tokens are obtained by sending a request to the Customer Login (JWT) endpoint passing it the customer's email and password in the request body. For example:
If authenticated successfully, an object is returned in the response with the property access_token being the JWT token.

How to Use the JWT Token#

The JWT token can be used for Bearer Authentication. It's passed in the
Authorization header as the following:

Cookie Session ID#

Use a cookie session to send authenticated requests.

How to Obtain the Cookie Session#

If you're sending requests through a browser, using Medusa's JS and Medusa React clients, or using
tools like Postman, the cookie session should be automatically set when
the customer is logged in.
If you're sending requests using cURL, you must set the Session ID in the cookie manually.
To do that, send a request to authenticate the customer and pass the cURL option -v:
The headers will be logged in the terminal as well as the response. You should find in the headers a Cookie header similar to this:
Copy the value after connect.sid (without the ; at the end) and pass it as a cookie in subsequent requests as the following:
Where {sid} is the value of connect.sid that you copied.
If you're sending requests using JavaScript's Fetch API, you must pass the credentials option with the value include to all the requests you're sending. For example:
Previous
Introduction
Next
HTTP Compression
Built with